Application Layer

Network Security

Benefits of Application Layer Security

Application layer security offers fine-grained access control
Useful when different sources of commands or file service requests have differing rights

Application layer security supports widest range of interaction patterns Application layer security can provide (additional) confidentiality protection
i.e., over-and-above lower layer controls, or without lower layer confidentiality (depending on needs) Useful for highly sensitive data (e.g., keys)
10/14/2008 3

Objectives for Application Layer Security

To provide fine-grained access control, the security mechanism must have access to the authenticated identity and security policy related details of the interaction (e.g., target subsystem of a command; filename and create/read/update/ delete action type; service interface name; operation name) Common identification and authentication data (and authorization policy data?) usable for multiple apps Extensible and self-describing protocols (e.g., for type of credential used) support evolution, federation, and diversity of systems Policy-based approach supports mission-specific rules Management policies support set up and remote updates Optional confidentiality protects sensitive data

10/14/2008

30-3 APPLICATION LAYER SECURITY

This section discusses two protocols providing security services for e-mails: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME).

TCP/IP Protocol Suite

Topics Discussed in the Section

E-mail Security Pretty Good Privacy (PGP) Key Rings PGP Certificates S/MIME Applications of S/MIME

TCP/IP Protocol Suite

Note

In e-mail security, the sender of the message needs to include the name or identifiers of the algorithms used in the message.

TCP/IP Protocol Suite

Note

In e-mail security, the encryption/decryption is done using a symmetric-key algorithm, but the secret key to decrypt the message is encrypted with the public key of the receiver and is sent with the message.
TCP/IP Protocol Suite 8

Figure 30.22

A plaintext message

TCP/IP Protocol Suite

Figure 30.23

An authenticated message

TCP/IP Protocol Suite

10

Figure 30.24

A compressed message

TCP/IP Protocol Suite

11

Figure 30.25

A confidential message

TCP/IP Protocol Suite

12

Figure 30.26

Key rings in PGP

TCP/IP Protocol Suite

13

Note

In PGP, there can be multiple paths from fully or partially trusted authorities to any subject.

TCP/IP Protocol Suite

14

Figure 30.27

Trust model

TCP/IP Protocol Suite

15

Figure 30.28

Signed-data content type

TCP/IP Protocol Suite

16

Example 30.1
The following shows an example of an enveloped-data in which a small message is encrypted using triple DES.

TCP/IP Protocol Suite

17

30-4 FIREWALLS
All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. Figure 30.32 shows a firewall.

TCP/IP Protocol Suite

18

Domain Name System

The Domain Name System

The domain name system is usually used to translate a host name into an IP address . Domain names comprise a hierarchy so that names are unique, yet easy to remember.

Netprog 2002 DNS

20

DNS Hierarchy

edu rpi albany

com

org

jp

Netprog 2002 DNS

21

Host name structure

Each host name is made up of a sequence of labels separated by periods.
Each label can be up to 63 characters The total name can be at most 255 characters.

Examples:
whitehouse.gov barney.the.purple.dinosaur.com monica.cs.rpi.edu

Netprog 2002 DNS

22

Domain Name
The domain name for a host is the sequence of labels that lead from the host (leaf node in the naming tree) to the top of the worldwide naming tree. A domain is a subtree of the worldwide naming tree.

Netprog 2002 DNS

23

Top level domains

edu, gov, com, net, org, mil,

Countries each have a top level domain (2 letter domain name). New top level domains include:
.aero .biz .coop .info .name .pro

Netprog 2002 DNS

24

DNS Organization
Distributed Database
The organization that owns a domain name is responsible for running a DNS server that can provide the mapping between hostnames within the domain to IP addresses. So - some machine run by RPI is responsible for everything within the rpi.edu domain.

Netprog 2002 DNS

25

DNS Distributed Database

There is one primary server for a domain, and typically a number of secondary servers containing replicated databases.
rpi.edu DNS server
rpi.edu rpi.edu DNS DB rpi.edu DNS DB DNS DB Replicas

rpi.edu DNS DB

Authoritative

Netprog 2002 DNS

26

DNS Clients
A DNS client is called a resolver. A call to getByName(host)is handled by a resolver (typically part of the client). Most Unix workstations have the file /etc/resolv.conf that contains the local domain and the addresses of DNS servers for that domain.
Netprog 2002 DNS 27

/etc/resolv.conf
domain rpi.edu 128.113.1.5 128.113.1.3

Netprog 2002 DNS

28

nslookup
nslookup is an interactive resolver that allows the user to communicate directly with a DNS server. nslookup is usually available on Unix workstations.

Netprog 2002 DNS

29

$ nslookup Default Server: oldtotter.cs.rpi.edu Address: 128.213.8.12

> rpi.edu Server: oldtotter.cs.rpi.edu Address: 128.213.8.12 Non-authoritative answer: Name: rpi.edu Addresses: 128.113.26.42, 128.113.26.41

Netprog 2002 DNS

30

DNS Servers
Servers handle requests for their domain directly. Servers handle requests for other domains by contacting remote DNS server(s). Servers cache external mappings.

Netprog 2002 DNS

31

Server - Server Communication

If a server is asked to provide the mapping for a host outside its domain (and the mapping is not in the server cache):
The server finds a nameserver for the target domain. The server asks the nameserver to provide the host name to IP translation.

To find the right nameserver, use DNS!

Netprog 2002 DNS

32

DNS Data
DNS databases contain more than just hostname-to-address records:
Name server records Hostname aliases Mail Exchangers Host Information NS CNAME MX HINFO

Netprog 2002 DNS

33

The Root DNS Server

The root server needs to know the address of 1st (and many 2nd) level domain nameservers.

edu rpi albany

com

org

jp

Netprog 2002 DNS

34

Server Operation
If a server has no clue about where to find the address for a hostname, ask the root server. The root server will tell you what nameserver to contact. A request may get forwarded a few times.

Netprog 2002 DNS

35

DNS Message Format

HEADER
QUERIES

Response RESOURCE RECORDS

Response AUTHORITY RECORDS
Response ADDITIONAL INFORMATION

Netprog 2002 DNS

36

DNS Message Header

query identifier flags # of questions # of RRs # of authority RRs # of additional RRs
Netprog 2002 DNS 37

Message Flags
QR: Query=0, Response=1 AA: Authoritative Answer TC: response truncated (> 512 bytes) RD: recursion desired RA: recursion available rcode: return code

Netprog 2002 DNS

38

Recursion
A request can indicate that recursion is desired - this tells the server to find out the answer (possibly by contacting other servers). If recursion is not requested - the response may be a list of other name servers to contact.

Netprog 2002 DNS

39

Question Format
Name: domain name (or IP address) Query type (A, NS, MX, ) Query class (1 for IP)

Netprog 2002 DNS

40

Response Resource Record

Domain Name Response type Class (IP) Time to live (in seconds) Length of resource data Resource data

Netprog 2002 DNS

41

SNMP (Simple Network Management Protocol)

WHAT IS SNMP?
SNMP (Simple Network Management Protocol) is a UDP-based network protocol. It is used mostly in network management systems to monitor network.

What is Network Management?

Basic tasks that fall under this category are:
Configuration Management -Keeping track of device settings and how
they function

 Fault Management - Dealing with problems and emergencies in

the network (router stops routing, server loses power, etc.)

 Performance Management
-How smoothly is the network running? -Can it handle the workload it currently has?

SNMP
SNMP is a tool (protocol) that allows for remote and local management of items on the network including servers, workstations, routers, switches and other managed devices. Comprised of agents and managers

 Agent - process running on each managed node collecting information about the device it is running on. Manager - process running on a management workstation that requests information about devices on the network.

Advantages of using SNMP

Standardized universally supported extendible portable allows distributed management access lightweight protocol

Client Pull & Server Push

SNMP is a client pull model
The management system (client) pulls data from the agent (server).

SNMP is a server push model

The agent (server) pushes out a trap message to a (client) management system

SNMP Messages
SNMP messages may be initiated by either the network management system (NMS) or by the network element. An SNMP TRAP is a message which is initiated by a network element and sent to the network management system. For example, a router could send a message if one of it's redundant power supplies fails or a printer could send an SNMP trap when it is out of paper.

 An SNMP GET is a message which is initiated by the network management system when it wants to retrieve some data from a network element. For example, the network management system might query a router for the utilization on a WAN link every 5 minutes

 An SNMP SET is a message which is initiated by the NMS when it wants to change data on a network element. For example, the NMS may wish to alter a static route on a router.

Four Basic Operations

Get
Retrieves the value of a MIB variable stored on the agent machine (integer, string, or address of another MIB variable)

GetNext
Retrieves the next value of the next lexical MIB variable

 Set Changes the value of a MIB variable Trap An unsolicited notification sent by an agent to a management application (typically a notification of something unexpected, like an error)

The Three Parts of SNMP

SNMP network management is based on three parts:

SNMP Protocol
Defines format of messages exchanged by management systems and agents. Specifies the Get, GetNext, Set, and Trap operations

 Management Information Base (MIB)

A map of the hierarchical order of all managed objects and how they are accessed

Structure of Management Information (SMI)

Rules specifying the format used to define objects managed on the network that the SNMP protocol accesses

Nodes
Items in an SNMP Network are called nodes. There are different types of nodes.

Managed nodes
Typically runs an agent process that services requests from a management node

Management nodes
Typically a workstation running some network management & monitoring software

 Nodes that are not manageable by SNMP

A node may not support SNMP, but may be manageable by SNMP through a proxy agent running on another machine

Basic Message Format

Message Length Message Version Community String PDU Header
SNMP Protocol Data Unit

Message Preamble

PDU Body

SNMP Architecture
The SNMP architecture includes the following layers: SNMP Network Managers Master agents Subagents Managed components

SNMP Architecture

Languages of SNMP
Structure of Management Information (SMI)
specifies the format used for defining managed objects that are accessed via the SNMP protocol

Abstract Syntax Notation One (ASN.1)

used to define the format of SNMP messages and managed objects (MIB modules) using an unambiguous data description format

Basic Encoding Rules (BER)

used to encode the SNMP messages into a format suitable for transmission across a network

Commercial SNMP Applications

Here are some of the various SNMP Management products available today:
http://www.hp.com/go/openview/ http://www.tivoli.com/ http://www.novell.com/products/managewise/ HP OpenView IBM NetView Novell ManageWise

http://www.sun.com/solstice/
http://www.microsoft.com/smsmgmt/ http://www.compaq.com/products/servers/ management/ http://www.redpt.com/

Sun MicroSystems Solstice

Microsoft SMS Server Compaq Insight Manger

SnmpQL - ODBC Compliant

Electronic Mail

Electronic Mail
You know what you can do with email!
It offers a service that allows users to send messages to each other.

Issues addressed in the email service:

What messages can be sent? How to address other users? How can it work when your PC is shut down?

Email uses several application protocols:

SMTP: to exchange email messages between Email Servers and to send email from your PC to an email server. POP or IMAP: to retrieve email messages from your email server to your PC. MIME: to structure the content of the email message
66

B.J.F. van Beijnum Introduction to Telematics Systems Part 10 Application

Electronic Mail
Three major components:
user agents mail servers simple mail transfer protocol: SMTP User Agent a.k.a. mail reader composing, editing, reading mail messages e.g., Eudora, Outlook, elm, Netscape Messenger outgoing, incoming messages stored on server
mail server user agent

outgoing message queue user mailbox

user agent

SMTP SMTP SMTP

mail server user agent user agent

mail server

user agent

user agent

2: Application Layer

67

Electronic Mail: mail servers

Mail Servers
mailbox contains incoming messages for user message queue of outgoing (to be sent) mail messages SMTP protocol between mail servers to send email messages client: sending mail server server: receiving mail server
mail server user agent user agent

SMTP SMTP SMTP

mail server user agent user agent

mail server

user agent

user agent

2: Application Layer

68

Electronic Mail (2)

Sending host
email server IP Network email server receiver

Receiving host

Sending host User Agent SMTP

Email server Mail Transfer Agent SMTP SMTP

Email server Mail Transfer Agent SMTP POP3 or IMAP

host User Agent POP3 or IMAP

Transport Service Provider

Transport Service Provider

Transport Service Provider

69

B.J.F. van Beijnum Introduction to Telematics Systems Part 10 Application